Thursday, December 11, 2014

"And with each passing year it is going to seem more quaint, the little tin airplanes bombing the sleepy iron giants" -J. MacDonald

December 7th marked the 73rd anniversary of Pearl Harbor, one of the scariest events in our nation's history.

These days a nation-state can terrorize you (and by “you,” I mean anyone or anything - an entire country, a government branch, a company, an individual) with computers alone. In this week's case, the “you” is Sony Pictures’ employees, who may well be out of a job before the attack by North Korea is over. But it also includes banking executives such as those at JPMorgan who are dealing with a constantly escalating threat from cyber attacks.

Don’t be fooled by the rather circumstantial public evidence that ties the Sony attack to North Korea - that’s just cover for the real intelligence behind the attribution assertion, which is no doubt air-tight. As “hard” as the attribution problem is, major attacks always have attribution if for no reason than because North Korea’s military needs to make their point not to “mess with them.”

And if you’re sitting in your living room or office, far away from Sony Pictures, you should still be scared, because in its own way, this is worse than Pearl Harbor. A naval battle is something only another nation-state could do - but a cyber attack can be done by a near peer. In the case of the Sony Pictures attack, it seems clear this was conducted by North Korea; but the next Sony-like attack could easily be done by angry environmental groups, a religious sect, or a group of people simply “out for the lulz.”

So what can we do about this new reality? The first step is to embrace it. We cannot ask our government to do more to protect us. In fact, we need to ask it to do less. We’ve drained our investigative resources by having having the FBI and Secret Service spend their time tracking down every teenager who managed to collect some stolen credit cards. We need to make a shift into letting that risk be the problem of people who built the broken credit card system in the first place.

Likewise, right now the government is trying to negotiate on behalf of American businesses with the Chinese. The trillions of dollars worth of IP being stolen by their military-grade hackers every year is going directly to Chinese businesses. This negotiation is going to fail because those Chinese businesses own the Chinese Government the way our big companies own ours.

Businesses need to prepare to take actions directly to protect themselves - both by massivelyinvesting in effective information security technology practices they can support, changing the way they do business to avoid exposing themselves, and allowing themselves to punish Chinese companies and people directly for involvement in IP theft. Right now, technical experts walk right out of "APT1" and into the arms of jobs at American cyber security companies. This could easily stop with a simple "no hire" policy, draining the Chinese state of their offensive talent.

Sony's terrible week is not the beginning, any more than Pearl Harbor was a beginning. But it changes the security story for every US company. It used to be compliance drove spending. Expect to see real security spending driving adoption of new technologies and macro-sized budgets. It's ironic a Japanese company had to die to teach us that lesson...